CVE-2025-14882 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting pretix-offlinesales version 1.12.0. The flaw exists in an API endpoint that allows authenticated users with limited privileges to access sensitive files belonging to other users simply by knowing the UUID of those files. The UUID acts as a user-controlled key, and the system fails to properly verify whether the requesting user is authorized to access the file associated with that UUID. This results in unauthorized disclosure of sensitive information. The vulnerability has a CVSS 4.0 base score of 3.8, indicating low severity, primarily because it requires authentication with limited privileges and does not require user interaction. The impact is mainly on confidentiality, as unauthorized users can read files they should not have access to. There is no impact on integrity or availability. No known exploits have been reported, and no patches have been published at the time of disclosure. The vulnerability was published on December 19, 2025, and is assigned to the pretix project, which is an event ticketing software widely used in Europe. The lack of proper authorization checks on UUID-based file access points to a design flaw where the UUID is treated as a secret token rather than an identifier requiring access control enforcement.

For European organizations using pretix-offlinesales 1.12.0, this vulnerability poses a risk of unauthorized disclosure of sensitive files, potentially including personal data or confidential event-related information. This can lead to privacy violations under GDPR, reputational damage, and loss of customer trust. Although the severity is low, the exposure of sensitive files could facilitate further attacks or data leaks. Organizations in sectors such as event management, cultural institutions, and ticketing services across Europe are particularly at risk. The impact is heightened in countries with strict data protection regulations, where unauthorized data access can result in significant fines and legal consequences. Since the vulnerability requires authentication with limited privileges, insider threats or compromised user accounts could be leveraged to exploit this flaw. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks once the vulnerability becomes widely known.

Until an official patch is released, European organizations should implement the following mitigations: 1) Restrict access to the pretix-offlinesales API endpoints to trusted networks and users only, minimizing exposure. 2) Monitor and audit API access logs for unusual access patterns or attempts to access files by UUIDs not owned by the requesting user. 3) Enforce strict user privilege management to limit the number of users with access to the vulnerable API. 4) Implement additional application-layer access controls or reverse proxies that validate user authorization before forwarding requests to the vulnerable endpoint. 5) Educate users and administrators about the risk and encourage strong credential hygiene to reduce the risk of account compromise. 6) Engage with the pretix vendor or community to obtain updates on patch availability and apply fixes promptly once released. 7) Consider temporary disabling or restricting the use of the offlinesales feature if feasible, to eliminate the attack surface.